AD,DNS and NAT

[danieltan]

I have AD windows 2000 domain and DNS in my machine and currently i
have NAT connectivity problem from client. The nat server seems not
getting any traffic from the client as i noticed there's no mapping in
the nat local traffic. Does it have any effect from having AD and DNS
in the same machine ?

Rgds
Daniel

 

[Herb Martin]

I have AD windows 2000 domain and DNS in my machine and currently i
have NAT connectivity problem from client. The nat server seems not
getting any traffic from the client as i noticed there's no mapping in
the nat local traffic. Does it have any effect from having AD and DNS
in the same machine ?

AD and DNS are FINE on the same machine
(very common but not absolutely required.)

It is a security issue to have the DC (AD) also
be your NAT, but even that CAN work (technically
it is usually just find -- security is the concern.)

Describe your precise problem?

Internal machines cannot reach the Internet?

Ping doesn't work by BOTH name and IP?

Same for web access? Name AND IP?

In Internet Explorer (etc) this is perfectly legal:

http://www.learnquick.com

....OR...

http://161.58.177.171

(That's me FYI.)

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I have AD windows 2000 domain and DNS in my machine and
currently i have NAT connectivity problem from client.
The nat server seems not getting any traffic from the
client as i noticed there's no mapping in the nat local
traffic. Does it have any effect from having AD and DNS
in the same machine ?

There are some problems with running AD, DNS, WINS, and RRAS on the same
machine. It can be done, with some registry changes. From your description
of the problem I'm not sure it will fix your problem, make sure you set the
correct interfaces as local and public. You still have to make the registry
changes.

830063 - Name resolution and connectivity issues occur on Windows 2000
domain controllers that have the Routing and Remote Acce:
http://support.microsoft.com/default.aspx?scid=kb;en-us;830063

 

[danieltan]

Herb, i managed to get my client on the net after i put my external
interface(pppoe dial up DSL) into the NAT. My NAT now has 3 interfaces,
internal/local nic, external(local nic for pppoe) and pppoe interface
for dsl dial up. I've also set the default static route. But the issue
is no port/name mapping in the internal local nic, only in the pppoe
dial up interface. I've read many articles mentioning that t should
have those interfaces. Is this the correct method ?

Both ping and friendly name can be used. DNS also do not have any
cached name if connected from client. Server itself is ok. My client
point to the internal interface/local nic of the server. But in my dns,
i didn't put that internal interface/local nic to be the ip for local
dns. Is this the problem that no cached name in dns if connect from
client ?

Rgds
Daniel

 

[danieltan]

Herb, in my nat , the local nic does not have any name mapping but it
can up the net. The pppoe public interface is alright and have
mappings. Is this correct ?

Regards
Daniel

 

[Herb Martin]

Herb, in my nat , the local nic does not have any name mapping but it
can up the net. The pppoe public interface is alright and have
mappings. Is this correct ?

I just saw the above message which seems a response
(today 3/15) to a message of mine (or someone named
Herb <grin>) but it is not properly threaded on MY
Outlook Express so I cannot find my message nor the
context.

I also don't really understand the paragraph (above)
and so probably cannot help with this limited info.

 

[danieltan]

What i mean is in NAT , the internal nic does not have any traffic,
only the pppoe public interface. I just wonder how come it doesn't have
any name mapping ? Does it suppose to have ?

Regards
Daniel

 

[Herb Martin]

What i mean is in NAT , the internal nic does not have any traffic,
only the pppoe public interface. I just wonder how come it doesn't have
any name mapping ? Does it suppose to have ?

Normally "NATs" have nothing to do with "names",
much less the mapping of them. (Although that is
possible in more sophistated proxy servers that work
at the application layer -- HTTP etc.)


Mapping you would see in the settings of a simple NAT are
usually MANUAL, and would only include mapping attemps
to connect to the outside address on a specific port to an
internal server which handles that type of traffic.

Dynamic mappings those setup by the internal clients of
the NAT would be there only as long as the connections
exist (or until timed out if they are abandoned.)

But I still doubt that you are making your real question
clear.

What problems or question do you REALLY wish ask?

 

[danieltan]

Herb, well u did almost answer all my question. Now i have a NAT
connection to internet and my client can access through it. In NAT only
the public interface has the traffic/mapping but not the internal
nic/interface. I just wonder how could this be ? but overall the NAT is
working. But what u mentioned abt the Manual mapping , does it mean
like establishing multiuser game connection or static route to another
server via some preset ports ? does this connection establish via the
internal nic ? this is what i want to know also. Thanks

Rgds
Daniel

 

[Herb Martin]

Herb, well u did almost answer all my question. Now i have a NAT
connection to internet and my client can access through it. In NAT only
the public interface has the traffic/mapping but not the internal
nic/interface.
I just wonder how could this be ? but overall the NAT is
working.

If you are just asking how such NATs do this, I
can likely explain. (If so, this is perfectly normal....)

NATs only translate outbound traffic when sending OUT
and external (and NATed) interface.

Traffic entering on a non translated (usually Internal) interface
can exit another such interface without being translated and
then there is nothing to "remember" (or map).

The simple NATs usually only have 2 interfaces, so it is easy
to assume that this is the only case -- but even this is no longer
the common case for many such devices: I have several that
have two internal interfaces (Wireless and Ethernet) plus
another External interface (to the cable/DSL etc.).

You can communitate between Wireless and internal Ethernet
with NO mapping just like on any other router (or like a bridge
if you use this setting.)

But what u mentioned abt the Manual mapping , does it mean
like establishing multiuser game connection or static route to another
server via some preset ports ?

Yes. (usually)

does this connection establish via the
internal nic ?
this is what i want to know also. Thanks

No, it initiates on the EXTERNAL NIC, e.g.,:

Trying to Terminal serve to an internal machine:

Map External IP of NAT, on TCP port 3389, to address
of internal machine on port 3389.

You could even map a web request on external address
TCP port 80 to an internal Web server on port 8000
(or any other port the internal server can service.)

 

[danieltan]

Herb, so what is the internal nic does ? althought i know client must
point to it . can just removed it and just use public ? just curious

Rgds
Daniel

 

[Herb Martin]

Herb, so what is the internal nic does ?

Passes traffic mostly.

In some cases, that one is enabled for DNS or DHCP.
(On ICS it always does these, on NAT-Server-RRAS
is only does these if you ask -- for a hardware device
you milage may vary.)

althought i know client must
point to it . can just removed it and just use public ? just curious

Clients are adjacent to the internal-Private interface so
they use that one as their Default Gateway for simple
networks.

"Remove it"? I don't even know what you mean or why
you would want to do that -- probably the answer is "No".

 

[danieltan]

Herb, so under what circumstances i can see a local nic in rras got any
mapping ? so i guess its quite alright as long as my nat is working
regardless got any mapping in local nic or not. Referring to the
removing local interface is that i was wondering since it doesn't used
so why not just removed it. But u have answered my question.

Rgds
Daniel

 

[Herb Martin]

Herb, so under what circumstances i can see a local nic in rras got any
mapping ?

I don't think you will EVER see such mappings.

There is NO translation on the internal NIC so there
is no need for such mappings.

so i guess its quite alright as long as my nat is working
regardless got any mapping in local nic or not.

What mappings do you expect there? There is no translation
on an internal NIC for the NAT.

Only external NICs are involved in translation (either inbound
or outbound).

Referring to the
removing local interface is that i was wondering since it doesn't used
so why not just removed it.

Well, that depends on the NAT software/hardware.

In Windows RRAS, the Internal NIC MUST be added
to the NAT to allow traffic through that NIC to particate
in translations on OTHER (External) NICs.

That is just the way the software works to make it more
flexible -- that means you might or might not have wanted
to include clients on those NICs in public/Internet access.

If you "remove" them, you are saying they may not
participate which I doubt is what you want to do.

But u have answered my question.

Good.